Currently, users can define TTL for their PKI
authorities(`pki_authorities`) by defining `not_after` argument.
It works because community.crypto collection that is used for standalone
plugin uses `*_not_after` argument to define a TTL for a certificate in
a format of `[+-]timespec`[1].
But there's one confusing thing: this format is not widely used and it's
definitely not a standard.
For example, hashicorp vault uses:
- `not_after` to define the date until when certificate should be valid
in a format of `YYYY-MM-ddTHH:MM:SSZ`[2]
- `ttl` to define a time-to-live for a certificate in a format of
`<duration><unit>`(ex. `7d`)
If we keep using `not_after`, there would be a conflict because
hashi_vault backend and standalone backend would expect completely different formats for these variables.
As a solution, this patch encourages users to start using `ttl` in
`<duration><unit>` format. It will work for both backends.
`not_after` for standalone backend will be supported for some time to
keep backwards compatibility.
[1] https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html
[2] https://developer.hashicorp.com/vault/api-docs/secret/pki#not_after
Change-Id: I6d4ab98fb41e279dc15c902990e3a24aa0235b08
Signed-off-by: Damian Dabrowski <damian.dabrowski@cleura.com>
17fe111ea2